XOM === Go over basic crypto Block ciphers (AES) Message Authentication Codes (MACs); HMAC: HMAC (k,m) = H (K XOR 0x5c..., H (K ^ 0x36..., m)) CBC-MAC Public key encryption What is the goal of this system? Probably prevent piracy, support other forms of "trusted" computing Works in new security model: Owner of computer might be the bad guy So want to control how people use their hardware Beyond that, the exact security claims are a bit nebulous Other possible applications? Mobile code, on-line banking/gambling, resisting theft of physical devices What is trusted computing? - attestation - curtained memory - sealed storage What do the authors mean by compartments? What's the traditional definition of compartment (as in the VMM paper) Basic XOM architecture components Compartment key table Holds keys that encrypt, MAC memory Requires changes to cache, hardware table walking to load tags What about replay? That's the application's problem??! (p. 4) Register key table Each slot contains key that encrypts registers plus pointer to slot in compartment key table Multiple register table slots could point to same compartment--why? Threads Why not just use the compartment key to encrypt registers? Would make replay easy So register key changes each time it is used Go over Table 1 (* = kernel only) Managing compartment keys: *xalloc $rt, offset($base) - allocates slot $rt of compartment key table *xrclm $rt - free slot in compartment table (if not used by register table) also flushes cache Managing register keys: *xinval $rt - clear entry in register key table xenter $rt, $rd - enter compartment $rt specifies slot in register table $rd will contain previous register key (or reg table entry?) xexit $rt exit compartment, set key in register table to $rt How big is $rt? Probably a 64-bit register But keys are supposed to be 256 bits... maybe the authors are confused Working within a compartment xsd/xld $rt, offset($base) - load and store to encrypted/MACed memory xmvtn/xmvfn $rt - clear or set ownership of register $rt Basic example - an simple application executing in a compartment: Application makes xom_alloc (key *) system call OS uses xalloc to allocate a slot in compartment table Returns value of this slot from system call Application text segment might look like this: put address of _key in argument register syscall xenter $v0,$0 XXXXXX bunch of encrypted gobbledygook XXXXXX The gobbledygook is encrypted with the compartment key The compartment key is encrypted with the processor public key When decrypted, the gobbledygook might look like this: xmvfn $1 xmvfn $2 xmvfn $3 ... call start_of_program What happens if you don't use xmvfn? Processor will trap on next use of register, because has NULL tag Of course, you need other way around, too trap if use protected register in NULL compartment What happens if we get rid of trap in XOM mode (but keep in NULL mode) OS could fool application. How? Consider DRM-enabled music player: int drm_ok = debit_account_for_cost_of_one_listen (user, song); if (!drm_ok) { drm_warn ("Sorry, you must deposit more money\n"); exit (1); } play_music (song); variable drm_ok probably allocated in a register So OS could just set breakpoint, change value of drm_ok to non-zero Note that we need both encryption and a MAC! If hardware just decrypted, would probably decrypt to non-zero garbage (which in this example means drm_ok is true) How do context switches work? Need more instructions xgetid $rt,$rd - put register table slot num of $rt in $rd xenc $rt,$rd - encrypts $rt with register key, put it in $rd places in co-processor registers 0-3 xsave $rt,offset($base) - stores encrypted register in memory $rt is 0-3, specifies a co-processor register. Why co-processor regs? Registers are 64 bits, but ciphertext is 256 bits. Why? probably 128-bit ciphertext, 128-bit MAC xrstr/xdec - inverse of previous two operations Look at Figure 2 How does paging work MACs for memory values stored on different pages xhash segment consumes 1/8 of physical memory What does xhash probably contain MAC (compartment key, virtual-address & cach-line-sized-snipped-of-memory) How does this affect the Appel/Li map2? ... OS must page both encrypted pages and xhash segment How do shared libraries work How to mount a replay attack -- why is this bad? How to execute arbitrary code beginning at a cache line How to trace instruction stream of executing program How to exploit instruction trace to break OpenSSL RSA implementation Would this work for on-line banking? Attestation might prevent man-in-the-middle on network Lack of trusted input path means virus could still get your keystrokes